I would double/triple check the access.log files to see if the request is actually getting served from the port 80 server.
If I visit www.foo.com and then change the address to www.bar.com and then click 'reload' in IE, it reloads www.foo.com. So I suspect that what you are seeing is that the browser is not doing what you expect it to do.
Next, I would run a packet sniffer (install ethereal, it's pretty easy) and actually check out the request being sent by your browser to port 80. That should give you a better idea what the problem is.
I mean, if you haven't configured your port 80 apache to talk to Tomcat, then the page you are seeing in your browser can't be arriving from port 80... simple as that, no?
- Erik
Andrew Davis wrote:
I have a test server setup with Apache 1.3.27, Tomcat 4.1.27, and mod_jk2. Its all running on RH Linux ES 2.1.
Apache is setup on ports 80 & 443. The port 80 config has only the basics defined, then has a mod_rewrite rule to send *ALL* traffic to the same URL but via https. It also has mod_jk2 setup to forward all .jsp & .do requests to tomcat. Tomcat is listening on ports 8080 and 8009.
All seems to work fine, but there's a hole. If I go to http://qa-wap1, I am properly redirected to https://qa-wap1. As I login, follow links, etc., I stay on the secure URL. However, if get into a secure URL... say https://qa-wap1/submitProfile.jsp and change the URL in my browser to http://qa-wap1:80/submitProfile.jsp and refresh the browser, the entire page (content and images, both) reloads and looks perfect. The obvious problem is that I just circumvented the secure URL concept. There's a hole somewhere that I haven't been able to plug. This occurs with multiple browsers.
Interestingly, I have an almost identical setup using Apache 1.3.26 and Resin via mod_caucho. The mod_rewrite rule is the same, but if I try to substitute the URL as mentioned above, it immediately puts me back on the secure URL as it should.
The relevant portions of the config files are below. I'm hoping someone can help me get byond this.
Relevant portion of httpd.conf:
<VirtualHost qa-wap1:80> ServerName qa-wap1 ServerAlias qa-wap1.my.domain.com ServerAdmin [EMAIL PROTECTED] ErrorLog /var/log/httpd/qa-wap1_error_log TransferLog /var/log/httpd/qa-wap1_access_log CustomLog /var/log/httpd/qa-wap1_referer_log referer CustomLog /var/log/httpd/qa-wap1_agent_log agent # RewriteEngine on RewriteLogLevel 0 RewriteRule ^(.*) https://qa-wap1$1 [R=301] </VirtualHost>
<VirtualHost qa-wap1:443> ServerName qa-wap1 ServerAlias qa-wap1.my.domain.com ServerAdmin [EMAIL PROTECTED] DocumentRoot /usr/tomcat/webapps/Genvault ErrorLog /var/log/httpd/qa-wap1_ssl_error_log TransferLog /var/log/httpd/qa-wap1_ssl_access_log CustomLog /var/log/httpd/qa-wap1_ssl_referer_log referer CustomLog /var/log/httpd/qa-wap1_ssl_agent_log agent DirectoryIndex index.htm # SSL Options SSLEngine on SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLCertificateFile /etc/httpd/certs/qa-wap1.crt SSLCertificateKeyFile /etc/httpd/certs/qa-wap1.key # End SSL Options </VirtualHost>
# Load mod_jk2 LoadModule jk2_module modules/mod_jk2.so AddModule mod_jk2.c
Relevant portion of workers2.properties
#[logger.apache13] #level=DEBUG
[shm] file=/var/log/httpd/shm.file size=1048576
[workerEnv:] info=Global server options timing=1 debug=0
[channel.socket:localhost:8009] port=8009 host=127.0.0.1
# define the worker [ajp13:localhost:8009] channel=channel.socket.localhost:8009
# Uri mapping
[uri:/*.jsp] worker=ajp13:localhost:8009
[uri:/*.do] worker=ajp13:localhost:8009
[uri:/servlet/*] worker=ajp13:localhost:8009
[uri:/services/*] worker=ajp13:localhost:8009
I'm not including my server.xml as I don't think its necessary, but I can if it will help. Most interestingly, I decided to circumvent the problem by setting a different DocumentRoot for the port 80 vhost, and having only a single index.html in the folder and have it do an immediate refresh to the secure URL (https://qa-wap1), plus I removed the rewrite rules. I would think that in doing this, if I change the URL to http://qa-wap1:80/submitProfile.jsp that I should get a 404 error. Unfortunately, I got the same results as above... the page loaded perfectly on the non-secure URL, except for the images.
And since I know someone will ask, when I change the URL (https://qa-wap1/submitProfile.jsp) to http://qa-wap1:80/submitProfile.jsp and refresh the browser, yes, the lock icon goes away. So its not a client caching issue.
-- http://www.spectacle.ca/ The Online Source for Live Music in Montreal .::514.286.1699::.
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
